Forms and Policies

Security and confidentiality requirements

In the course of carrying out its academic, research and clinical missions, faculty, staff and students at Yale collect many different types of information, including financial, academic, health, human resources information, and personally identifiable information. Federal and state laws impose many obligations on Yale to protect the confidentiality of information about students, employees, and patients.

In addition to regulatory requirements, there are also requirements stipulated by other organizations when the University requests use of those organizations' data sets. In turn, every member of the University has the obligation to implement appropriate safeguards to meet these requirements.

Appropriate protections (security controls) for the confidentiality, integrity and availability of data must be implemented to comply with regulations, contracts and other agreements. Implementation of required administrative, technical & physical security controls varies, but implementation may involve substantial resources – including financial, IT and human resources. Many researchers and departments may not have the required resources and/or IT support to implement security controls, so it is critical that that there is a clear understanding of IT and information security roles and responsibilities, well in advance of entering into an agreement, grant or contract.

Protecting Social Security numbers and financial account information

Federal and Connecticut state laws protect the privacy and security of Social Security numbers and financial account numbers, and this type of information is subject to strict three-lock protection in use, transmission, and storage.

Report any incidents immediately

If you suspect that a data breach of personal financial information has occurred, please contact Yale's Information Security Office immediately to report the incident.

Compliance with HIPAA security requirements

The federal Health Insurance Portability and Accountability Act (HIPAA) requires Yale to maintain the confidentiality of electronic health information that can be linked to an individual patient (electronic Protected Health Information, or ePHl), and Yale has adopted policies to ensure that we comply with this obligation. 

All ePHI is subject to strict three-lock protection in use, storage, and transmission, and all Yale employees who have access to ePHI must pass HIPAA training.

Effective September 23, 2009, the HITECH Act 'Breach Notification for Unsecured PHI; Interim Final Rule' requires that if PHI is breached, we notify individuals, and, for breaches affecting more than 500 patients, the media and the government. Please see the information related to breach notification.

The Yale University HIPAA site is the best source of detailed information on Yale's HIPAA compliance policies and procedures, as well as information on HIPAA training and other HIPAA compliance topics.

Compliance with FERPA confidentiality requirements

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the confidentiality of many student records. Because FERPA covers such a large variety of information and contains so many exceptions, student records may be 3-Lock, 2-Lock, or even 1-Lock data, depending on the nature of the records. For example, student disciplinary files would be subject to 3-Lock restrictions, but students' local addresses are usually 1-Lock information, even though both types of records are subject to FERPA.

If you have a specific question on how to use store, or transmit student records, contact the Office of the General Counsel or the Information Security Office. For more information on FERPA, see Yale's FERPA statement.

Compliance with Department of Veterans Affairs (VA) research data security

All Yale University faculty and staff members involved in research sponsored by the U.S. Department of Veterans Affairs (VA) must comply with all requirements for protecting VA research subjects' privacy, and VA research data security and confidentiality.

Access to a VA server

In order to connect to a WHVA server (file server) from the Yale (or a network you must have a VA network ID and VA VPNaccess*. Investigators who do not currently have a VA network ID and/or who want to obtain VA VPN access should contact Sid Hammons in the VA Research Office: or 203.937.3830.

Contact information for VACT Information Security Office

Michael Raffanello ( - 203.937.3444 or 781.687.4844

Yale University HIPAA compliance policies & information

If you perform research that generates ePHI you should consult the Yale University HIPAA site for further information on HIPAA privacy and security regulations.

dbGaP - database of Genotypes and Phenotypes - NCBI

dbGaP - database of Genotypes and Phenotypes which is data from National Center for Biotechnology Information (NCBI), requires a data security plan that is signed by the Chief Information Officer & Director of ITS and then submitted to Office of Grant and Contract Administration:

Food and Drug Administration (FDA) - 21 CFR Part 11

Title 21 CFR Part 11 of the Code of Federal Regulations deals with the Food and Drug Administration (FDA) guidelines for electronic records and electronic signatures . Part 11 defines the criteria under which electronic records and electronic signatures are considered to be trustworthy, reliable and equivalent to paper records. Part 11 requires drug makers, medical device manufacturers, biotech companies, biologics developers, and other FDA-regulated industries, with some specific exceptions, to implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing electronic data.

    1. If your protocol is a partnership with a pharmaceutical/biotech company, that organization may take ownership/management/security of the computing devices used at Yale. Compliance may only be required if Yale computing devices or storage media are used.
    2. There may be requirements for certification that the EHR (Electronic Health Record) application you are using is compliant. Currently, the YNHH EPIC EHR is not compliant and there are no plans to bring it into compliance.


  • The Connecticut personnel file statute, which protects employee records
  • The Connecticut statute on the security of confidential electronic information, which protects Social Security numbers and financial account numbers.
  • DoD rule (48 CFR 204 and 252) amending the Defense Federal Acquisition Regulation Supplement (DFARS) to add a contract clause requiring a contractor to notify DoD if the contractor is required to report its activities under the U.S.-International Atomic Energy Agency Additional Protocol.
  • U.S. Bureau of Labor Statistics National Longitudinal Surveys Children and Young Adults (NLSY geocode data) requires application documentation, including data security content.